Hiding cloud services for VPN access only

Similar Messages

• Need advice for starting a Managed Cloud Service for Small Businesses

  I hope this is in the right forum.  I have done a lot of research and searching but havent found anything that specifically answers, in total, what I am wanting to accomplish.  I live in a small town and want to start a Managed Cloud Services for
  small to small-medium business in my area (2-30 users for each business).  I want to market this to have businesses replace their in-house server(s) to virtual ones I would host in a local Data Center with my own equipment that I would maintain.  I
  am just starting off so I don't have any clients I do this for currently, but I get asked about this frequently.  I want to run a 2012 R2 Domain Controller and a Hyper-V 2012 R2 server.  The virtual servers I will host are going to be for AD, RDS,
  FTP, and files.  Software examples that people are going to be using these virtual servers for are Quickbooks, Sage Accounting, Remote Desktop or RemoteApp, custom CRM or small database software, Office 2013, etc.  No Exchange currently but will
  probably configure something for that in the future (maybe run 1-3 virtually for now if someone asks, but will only do it if the user base is fairly small ~under 10 users).  I only have 1 static IP to work with over a 100Mbps connection up and down.
  For hardware, I am figuring something along the lines of this:
  (1) 1U, single CPU w/2-4 cores, 8GB, 2x73GB SAS 10k RAID 1, Dual PSU, running Windows Server 2012 R2
  Domain Controller
  (1) 2U, 2x 8-core Xeon ~2.6Ghz, 80GB RAM, 8x600GB SAS 15k in Raid 10 for Storage (VHDX files, etc), RAID 1 small Basic drives (or USB stick) for OS, Dual PSU, Quad GB Nic which I can use for load balancing/teaming, Hyper-V
  2012 R2
  Hyper-V Virtual Server
  (1) GB Unmanaged Network Switch & (1) Cisco 5510 Firewall
  Most of my questions are about the best way to configure this.  I am planning on managing my Hyper-V from the physical Domain Controller server.  Each virtual server will have RDS & (possibly) AD services on a single server.
  1) I want to replicate the physical Domain Controller.  Should I get another server or just virtualize the replica in Hyper-V?  I understand that if the Hyper-V goes down, so does my DC replica.
  2) Should I use my Domain Controller to manage ALL users on each virtual Server, by creating separate Organizational Units for each business?
  3) Should I setup my domain controller with Hyper-V management and then each Virtual Server I setup be a separate domain (Ex. mydomain.local, business1.local, business2.local, etc)?  Each one has no connection to any
  other, completely seperate.  Or should I do subdomains (business1.mydomain.local).
  4) What I have read is that Subdomains are a pain to manage with user rights, etc.  I want to keep each server complete separated from one another over a network connection, I suppose the VLan through Hyper-V options
  do this?  I dont want wondering users to stumble upon another businesses files (I know they would probably be prompted with a login for that business/domain).
  5) For each virtual server, I want to create and have an HTTP subdomain point to that server from my domain name. (Ex: business1.mydomain.com, business2.mydomain.com, etc.)  I want them to be able to have access to
  only their RemoteApps or be able to type that address in their Remote Desktop program as the host name.  This would be for viewing the RemoteApp login page and RemoteApps for that business over HTTP/S through a browser.
  6) If I do not have separate DC's in each virtual and my main DC manages each one, is their a way to connect up each companies RemoteApps using a single site that only shows what they are assigned to based upon their login?
  (Ex. http://login.mydomain.com which then shows that user what they are assigned on their own virtual server)
  7) Since each business will use the same ports for RemoteApp (443) & RDC (3389 unless I change it), how would I setup the subdomains to point to their correct server and not overlap for mess with any of the other servers
  since its all over 1 static WAN IP for all servers.  Thats why I figured setting up IIS subdomains would solve this.
  8) For backups or Hyper-V replication, is it better to have software that backs up the ENTIRE Hyper-V server (Acronis Advanced Backup for Hyper-V) as well as replication or just backups?  Or should I do separate file
  backup on each virtual with a replica?  Can a replica be a slower server since its just a backup? (Ex. 1x 8 core, 80GB, 8x600GB 10k SAS)
  9) For the servers that will be using FTP, can I again rely on the subdomains to determine which server to connect to on port 21 without changing each FTP servers ports?  I just want each business/person to type in
  the subdomain for their business and it connect up to their assigned FTP directory over port 21.
  10) If the physical DC manages DNS for all Virtual servers, can I forward sub domain requests to the proper virtual server so they connect to the correct RemoteApp screen etc.  Again all I have is 1 IP.
  I hope all of these questions make sense.  I just want every business to be independent of each other on the Hyper-V, each on their own virtual server, all without changing default ports on each server, each server running RDS, (possibly) AD, (a few) FTP,
  and all over a common single WAN IP.  Hoping subdomains (possibly managed through IIS on the physical DC) will redirect users to their appropriate virtual server.

  If you really want to run your own multi-tenant service provider cloud, Microsoft has defined the whole setup needed.
  They call it Infrastructure as a Service Product Line Architecture.  You can find the full documentation here -
  http://blogs.technet.com/b/yuridiogenes/archive/2014/04/17/infrastructure-as-a-service-product-line-architecture.aspx
  There are several different ways of configuring and installing it.  Here is a document I authored that provides step-by-step instructions for deploying into a Cisco UCS and EMC VSPEX environment -
  http://www.cisco.com/c/dam/en/us/td/docs/unified_computing/ucs/UCS_CVDs/ucs_mspc_fasttrack40_phase1.pdf
  This document contains the basic infrastructure required to manage a private cloud.  I will soon be publishing a document to add the Windows Azure Pack components onto the above configuration.  That is what would more easily provide a multi-tenant
  experience with a Azure look and feel.  It is not Azure, but the Azure pack is a series of applications, some of which came from Azure, the provides Azure-like capabilities only in a service provider type of environment.
  Whether you use my document or not (which has actually corrected errors found in the Microsoft documentation), you should take a look at it to see what it takes to put something like this up, if you are really serious about it.  It is not a small undertaking. 
  It requires a lot of moving pieces to be coordinated.  Yes, my document is designed to scale to a large environment, but you need the components that are there.  No need re-inventing the wheel.  Microsoft's documentation is based on a lot of
  real hands on experience of their consulting organization that has been doing this for customers for years.  This one is also know as Fast Track 4.  I've done 2 (2008 R2) and 3 (2012), also and it just keeps getting more complicated based on customer
  demands and expectations.
  Good luck!
  . : | : . : | : . tim

• HT3728 I do not need another wireless network but want to use the airport express for printer access only.  Can this be done and how?

  I do not need another wireless network but want to use the airport express for printer access only.  Can this be done and how?

  You can configure the AirPort Expess to "Join a wireless network" and enable the Ethernet port so that Ethernet devices will be able to connect.
  In order to print from the iOS devices, you will need to have an application like Printopia installed on your Mac. The Mac must be active when you want to print.
  More details here: Printopia - AirPrint to Any Printer - Print from iPad - Print from iPhone ...
  There is a free trial available for Printopia, so make sure that it will work before you buy the AirPort Express.

• Azure: "Cloud Services" for VM - Load Balancing, yes, and other things?

  I'm trying to get a handle on the significance of the cloud service
  (that is created when a new VM is created). I understand that a group of
  VMs need to belong to the same cloud service in order to participate in
  Load Balancing. I can't see any other reason to group VMs into a single
  Cloud Service. On the other hand it seems like overkill to create a
  cloud service for each VM.
  Are there any advantages/reasons to adding a group of VMs to Cloud Service other than Load Balancing?

  Hi,
  If you made a group VMs as a cloud service, you can configure them and manage them by yourself, you could select Linux or Windows Server VMs and either compose the VM images in the cloud or upload a VHD you’re previously
  created using Hyper-V, You can capture a VM and add it your image gallery for easy reuse. you also could run a product like Active Directory or SQL Server or SharePoint Server successfully, etc...
  I suggest you have a look at following article. (create VM as cloud service belong to IaaS)
  #http://davidpallmann.blogspot.in/2012/07/windows-azure-is-3-lane-highway-how-to.html
  Best Regards
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed

• Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access

  Hi everybody,
  I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
  Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
  After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
  Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
  add 1050 allow from any to any in
  (This looks a little like a server manager bug to me, but I digress)
  So I tried manually editing the file in /etc/ipfilter but no joy.
  Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.

  Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
  The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting.

• Cloud services for SAP Utilities

  Hi,
  Interested to know where can i find the knowledge and documents related to cloud services offered for Utility industry by SAP

  Hi Vijay,
  Now we have Currently the only place to get these type of materials is Service market place(service.sap.com and Business Center).
  if you have authorization you may get the detailed material of Cloud services and SAP Business By Design .
  i hope the above information may help you.
  Thanks&Regards
  Sreenivas Pachva

• Configuring blackberry business cloud services for office 365

  HI,
  As of now we are in process of moving to office 365 . We have to configure office 365 for blackberry devices . 
  Here we have Blackberry enterprise server and devices are Blackberry Curve and Bold , etc . 
  When i gone through the technet i have seen two options.
  1.Blackberry® Business Cloud Services (BBCS) from BlackBerry
  2.BlackBerry®
  Internet Service (BIS)
  Which one i need to prefer based on my server and devices .If i go for BBCS , how to setup and configure.
  Please anyone hep me on this.

  You need to refer to the option 1
  1.Blackberry® Business Cloud Services (BBCS) from BlackBerry
  Refer this Document
  http://us.blackberry.com/business/products-services/cloudservices.html
  This gives the Architecture in detail
  http://www.itproportal.com/2012/06/27/bis-bes-and-blackberry-services-office-365/
  Regards Chen V [MCTS SharePoint 2010]

• Your favorite cloud service for Ipad?

  Noobie here...looking to put all my docs on the cloud (need about 10 gigs total).
  There are so many options; what would you suggest and why?

  I personally think Dropbox is the most reliable
  Other cloud service
  Dropbox
  http://i1224.photobucket.com/albums/ee374/Diavonex/fb81ad7f.jpg
  Box.net
  http://i1224.photobucket.com/albums/ee374/Diavonex/2d669746.jpg
  Sugarsync
  http://i1224.photobucket.com/albums/ee374/Diavonex/ac82a9f8.jpg

• Does business service have an application service for secure access?

  Hi
  Recently we had faced a strange situation when we are attempting to execute a script
  these are the steps i followed
  *1.Created a business service*
  This is my business service with service name CILCSVAP
  <schema pageAction="read">
  <said mapField="SA_ID"/>
  <indt mapField="START_DT"/>
  </schema>
  *2.Added the above business service in service script and used the edit data step to invoke the bs*
  No application service given for the script.
  invokeBS 'Cm_serviceagreement' using "cm_serviceagreement"
  Now when i execute the above script
  i am getting the following error
  You are not allowed access (directly/indirectly) to this account.
  *     Description: Please contact your security administrator to check your security for this account.*
  I know that this error occurs if a user doesnt has accesss to a account but i had checked that too by verifying account's accessgroup which i am using,then its access roles then i had checked that user with which i had logged in is present or not.yes it is present
  Now i am wondering whether business service has an application service
  I cant find any field for entering application service on business service page.
  Although i have access to execute the script and the business service why i am getting this error,plz help.

  Hi shanker,
  I'm working with MDM 2.0 and I've a field to enter an application service.
  During my customizations I've used the 'default execution application service'.
  I've tried to attach an image to this post, but it seems to be not possible.
  When I add a new business service, I got these settings:
  * Business Service (in your case CILCSVAP)
  * Description
  * Detailed Description
  * Service Name (Name of the System Service)
  * Application Service (I've used F1-DFLTAPS)
  and on an additional tab the Schema of the BS.
  Please check if the application service is assigned to your User Group and if the execution right is set.
  /Markus

• Can't see bonjour services from VPN access

  Hi,
  i've got several Macs and devices on my local network at sub-network 192.128.1.x (router at 192.168.1.1).
  With my Macbook air for instance, Finder automatically find all my devices (macs, router, windows PC, NAS...) and they are in left folder of the Finder View.
  When i'm out of my home, i connect my Macbook to my home network through an VPN server (PPTP). The mapping of this VPN is 192.168.2.x.
  I can mount my remote devices through manual commande (Alt K in finder - connect to...) which are in the 192.168.1.x subnet.
  But the Finder can't see them automatically,
  is there a way to setup Bonjour Services, or subnets, or FInder automatic browsing, to find all my devices like if i were at home ?
  Thanks for any advice

  So you are use an separate account(not admin) on this mac
  Bonjour usually picks up the name of the computer in sys prefs/sharing.
  Edit: just checked and its getting it from the address book, so the MEcard is yours.

• Shared Computer - Want Creative Cloud Application for single user only on Mac

  Hi, the creative cloud icon appears in the menu bar for all users on our family mac. I only want it for my own user, not for my family users, because they are asked about CC user and password. How can I set it up so that it doesn't appear in the menu bar for the other users? Note: The menu "Settings" can only be reached when logging on to Adobe CC first - so this is not an option as they don't have such a user.

  Hi,
  unfortunately the description on how to disable doesn't work (I found it already in the internet before).
  - For my own user (and also when I'm logging on with a family user), the Creative Cloud App doesn't appear in the list of apps. (See screenshot).
  - For other users, it the "Log In Items" (German: Anmeldeobjekte) doesn't even appear (see screenshot).

• Right role/privileges for KVM Access only in UCS

  Hi
  I am making some locally Authenticated Users for some people at work.
  They only need to access KVM and do things there.
  What role/privileges do I need to set on the user?

  Thank you for your answer.
  I have looked into the thread, and was thinking about method #4.
  I have created a user under Locally Authenticated Users and if I set the role Operations I get this message after pressing launch under KVM launch manager.
  If I type the same username and password, I get login failed.
  If I add the role Server-profile to the user, I can login with no issue. But then I am afraid that I give to much privileges to the user.
  I'm using a Management IP Pool, so I don't know if the other methods works better. I think it is difficult to know the IP address, and maybe the adress can change.
  The best is, when I add a server to UCS, the user can find the server KVM by himself, and I don't need to find the IP address and give it to him.
  Maybe I am way off here, so please help me:)

• Is there any way to affect the progress of availability (iTunes cloud services) for my country?

  I am a Norwegian iTunes user, and have purchased various songs on various devices (MabBook, iPhone, iMac).
  I'm getting sick and tired of not being able to sync my purchases to all devices.
  - Is there any way to provoke the progress of getting services like Match in my country too?

  Primarely i was thinking about http://support.apple.com/kb/HT5085.
  But i think the lack of automatic downloads is an automatic result of not being able to use the cloud for music/video.
  You might not be aware of this, but there's currently no way for me (and many others) to have the same files on more than one device (unless paying for another copy).

• WLC ACL For Internet Access Only

  I've implemented  Cicso ISE 3495's with the advanced subscription license.  I've built my policy sets, and authorization profiles.  It all works great!  Here's the issue that I'm having.  I have internal employees who bring in their own devices (BYOD).  I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet.  I've created an ACL (EmpInternetOnly) on the WLC.  Here are my rules:
  I can get to the intranet, with no issue (ACL lines 1-4).  I can't get to the internet whatsoever.  I see everything falling down to the deny statement.  When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue.  Am I missing something here?  I've researched this topic on several message boards, but can't find an answer.  I've tried to run the acl debug, on the controller, but do not see any output when I run it.  It might be because I don't understand the proper format of how to set it up.  Any and all replies would be much appreciated!  Thanks!
  Steve